One Nasty Virus/Trojan - Kills all virus scanners

[edifyguy]

Oh, yes, of course. 

All it's saying is that you are running with full privilege. Puppy always runs that way. In Windows-ese, you're running as administrator.

[Lynn210]

Ready to hit f1Scan
So I will see you later??

[edifyguy]

I'll be around! I'm going to go to bed soon, as I think you should. Once you do hit the "F1 scan" button, it should start rifling through your hard drive, looking for creepy-crawlies! If it doesn't run for very long, we'll have to check the settings.

Once I go to bed, I likely won't be available until tomorrow afternoon (after Church) but I think you have the info to get a good solid scan done by then, and then we can fix the findings then. Will that work for you?

Let me know if it looks like the first part of the scan is going properly.

[Lynn210]

Scan is finished.. doesn't look like it found much..
But I am not sure I am looking at the right file.

Let me know what to do next..

[Omega40]

(F5 F5 F5.)... am watching  this thread with baited breath!

Love to you all!
Omega40

[essexboy]

A linux cd is a good option although malware now infects the following system drivers (this is the latest list)

%SYSTEMDRIVE%\iaStor.sys
%SYSTEMDRIVE%\nvstor.sys
%SYSTEMDRIVE%\atapi.sys
%SYSTEMDRIVE%\IdeChnDr.sys
%SYSTEMDRIVE%\viasraid.sys
%SYSTEMDRIVE%\AGP440.sys
%SYSTEMDRIVE%\vaxscsi.sys

And as the get better at circumventing system protection they will add more to the list.  At the moment the main priority is to get you up and running again - so replacing the iastor.sys file will achieve that

If I have read rightly you are booting to a live cd and copying a fresh copy of this file to system 32 - is that correct ?

[Lynn210]

essexboy

I booted using the Puppy Linux CD and have access through linux to the computer

Did and XFPROT scan only .. found 1 infected file.. did it again .. found 2 infected files.

That is pretty much where we left off.. he went to bed .. I took a much needed break

It is now 9AM where I live..

I believe my mentor "edifyguy" intends to get rid of the viruses and then repair windows.

Is that what you would do?

It has been a very long time since I burned to CDs so it took me awhile to get it
right.. I have not done the iaStor.sys as yet.

I kinda thought getting rid of the viruses first was a good idea..

Where did this list come from:

"A linux cd is a good option although malware now infects the following system drivers (this is the latest list)

%SYSTEMDRIVE%\iaStor.sys
%SYSTEMDRIVE%\nvstor.sys
%SYSTEMDRIVE%\atapi.sys
%SYSTEMDRIVE%\IdeChnDr.sys
%SYSTEMDRIVE%\viasraid.sys
%SYSTEMDRIVE%\AGP440.sys
%SYSTEMDRIVE%\vaxscsi.sys
"

[Lynn210]

Omega40

Welcome!

Looks like we have quite a following.. I guess I am not the only one
who has ONE NASTY VIRUS/TROJAN

[snowflake]

If I may...Is this not all really working 'blind' ?

Unless I have completley  missed it ,I note this forum does not have a section for members  to post  their HJT Logs for analysis by Trained  Helpers..

Lynn210 has been asked to run the ComboFix tool but which Trained Helper on here will be analysing its report ? Surely, until her HJT log is analysed and the infections  noted how can we know that the ComboFix tool is the right one to run ;attempting to run that tool on an inappropriate infection can cause unwanted effects which include rendering the computer completley useless :'(

Has anyone Trained in HJT analysis  yet seen an HJT log from this computer to see what may be going on ?

[essexboy]

I believe my mentor "edifyguy" intends to get rid of the viruses and then repair windows.

Is that what you would do?

This is the only way to do it as far as I can see, although I would probably work on the repair first.  At the moment there is no AV that I am aware that can detect or repair this particular infection

What we need to do is replace the bad iastor file with a clean copy.  Were you able to extract it from the dell site.  One other option is to do a parallel  install.  That would leave your documents and settings intact but replace windows entirely

Where did this list come from:

"A linux cd is a good option although malware now infects the following system drivers (this is the latest list)

%SYSTEMDRIVE%\iaStor.sys
%SYSTEMDRIVE%\nvstor.sys
%SYSTEMDRIVE%\atapi.sys
%SYSTEMDRIVE%\IdeChnDr.sys
%SYSTEMDRIVE%\viasraid.sys
%SYSTEMDRIVE%\AGP440.sys
%SYSTEMDRIVE%\vaxscsi.sys
"

These are files that have been compromised that we have so far located - with control of these files you can control what programmes run with the system. The list is growing though

If I may...Is this not all really working 'blind' ?

Unless I have completley  missed it ,I note this forum does not have a section for members  to post  their HJT Logs for analysis by Trained  Helpers..

Lynn210 has been asked to run the ComboFix tool but which Trained Helper on here will be analysing its report ? Surely, until her HJT log is analysed and the infections  noted how can we know that the ComboFix tool is the right one to run ;attempting to run that tool on an inappropriate infection can cause unwanted effects which include rendering the computer completley useless :'(

Has anyone Trained in HJT analysis  yet seen an HJT log from this computer to see what may be going on ?

At the moment no analysis logs have been generated.  HJT would not find this infection as it is no longer man enough for the job.  The analysis tools I use are OTL and OTS which give a much clearer picture of the system, and no, combofix should not have been attempted until the nature of the infection is known ( I do not think Combofix will run on this bit of malware until the way is prepared for it ).  But, until this system is up again no analysis tools can be run 

[Lynn210]

essexboy

Isn't the use of Puppy Linux a "parallel install" more or less only temporary?

And if I upload a new clean file to the Windows system -- if this is an infected file --
wouldn't the virus just infect it again?

Also.. I have a feeling that alot of other system files are going to be needed
by Repair..

Can your OTS  OTL program be run using Puppy Linux? or does it have
to sit right on the OS it maps out?

[Lynn210]

Snowflake

If you go back through all of the info here .. this virus I have will not allow me to
execute anything .. it immediately kills the program .. or infects it... so we are
doing a workaround.. getting access to the drive and OS without being in the OS
is pretty much a beginning.. till we can get control of the Virus and not vice versa.

Then we hopefully can run tools that will identify all the problem areas and thus
make repairs.

[essexboy]

Unfortunately it only runs in a windows or PE environment.  The Author hasn't thought about a Linux version, I may put that to him 

And if I upload a new clean file to the Windows system -- if this is an infected file --
wouldn't the virus just infect it again?

The indications we have so far is that the file that does the infecting is deleted once it has done it's job.  So a new file should be safe

[edifyguy]

Aha, here we go then. You state that it seems to have found only one or two files each time you've run it, but that would be only what it's showing in the short bit of the log you can see when it finishes. You need to grab the log from the hard drive and look at it; better still, share it with us.

From that computer, please reply to this forum and attach the logfile so that we may look at it. Note that the linux file structure is different than Windows, and you'll need to "Browse" then double-click "File System" then "mnt" then "sda2" then "xfprot.log" if you changed its location as suggested.

Did you leave it in report only or did you change its behavior to automatic? If you changed it to automatic at some point, it may have deleted some or all of the problem files the first time, which would remove them from the log the second time. This is OK, but it would be better to know what we're dealing with here.

As for the iaStor.sys, I have a way to get that right for you without a Dell executable. Like I said, I do this for a living, and have many tricks up my sleeve.

[essexboy]

As for the iaStor.sys, I have a way to get that right for you without a Dell executable. Like I said, I do this for a living, and have many tricks up my sleeve.

Now this is a trick I would like to have access to and use (full credit given)